from the thanks-for-the-exploitable-tech,-US-citizens! dept

Two things remain certain in life: death... and law enforcement agencies using license plate readers obtained with Homeland Security grants for purposes not even remotely related to securing the homeland.

Grant money from a terrorism prevention program of the U.S. Department of Homeland Security through the Virginia Department of Emergency Management provided the funding for automatic license plate readers for several Hampton Roads agencies, including Newport News, Suffolk, Norfolk, Williamsburg, James City County, York-Poquoson and Isle of Wight, said Laura Southard, public outreach coordinator for the state's emergency management department.

Hampton Roads law enforcement departments received $869,000 in 2009, $357,000 in 2010 and $143,000 in 2011 for license plate readers, Southard said.

Delinquent taxpayers in Newport News could have their vehicles impounded if new cameras snap a photo of their license plates around town.

In an attempt to claim the nearly $4 million in delinquent personal property taxes owed, the city will soon begin using license plate scanners to find vehicles on which more than $200 in personal property taxes are owed.

The cameras will be mounted to the backs of six sheriff's department cruisers to automatically read license plate numbers. Those numbers will be cross-searched with a database updated daily of all the license plates in the city with more than $200 in personal property taxes owed, Treasurer Marty Eubank said.

The terms "terrorism" and "drug enforcement" were likely thrown around during the application process, but the end result is the city viewing law enforcement technology as just another revenue generator. A "hit" from the ALPR will result in the vehicle being towed within three days if the delinquent taxes aren't paid off or a payment plan set up.

While the city has every right to pursue delinquent taxes, it has no business re-purposing federally-purchased law enforcement technology to do so. Citizens concerned about ALPR databases housing millions of non-hit records have always been assured that this technology will be used to fight the baddest of the bad: drug dealers, terrorists, auto thieves, kidnappers, etc. But now it's being used to collect back taxes -- hardly the sort of thing Homeland Security funds should be used for.

Things get even more petty a little down the road in Hampton, Virginia. While Newport News' enforcement efforts don't kick in unless more than $200 is owed, Hampton is all about the Lincolns.

Hampton has one camera mounted to a city minivan, not a police vehicle, which is driven around town every week day, said Dave Ellis, field compliance supervisor in the Hampton Treasurer's Office. When field investigators find a vehicle with a license plate for which more than $5 in property taxes is owed, they first place a warning sticker on the vehicle telling the owner to make contact with the city. If there is no response from the owner after about a week, the investigators go back and remove the license plates or put on a wheel lock, Ellis said.

Hampton's tax-collecting ALPRs were first deployed in 2008. It's left unclear how the usually "law enforcement-only" technology ended up in the city's hands, but most likely a Memorandum of Understanding allowed the transfer of the plate readers. To date, $1.4 million in federal funds have been dispersed to pay for law enforcement's ALPRs -- and now some of them are being used to track down $5 property tax deadbeats.

Isle of Wight doesn't even bother doing its own tax collection efforts. According to the article, this is outsourced to a private company with its own plate readers, meaning there's next to zero accountability. Turning a city job private keeps records related to tax collection efforts a little further away from curious constituents and their Freedom of Information requests.

Not that the Hampton Roads law enforcement network is too concerned about overstepping its bounds or potentially violating constitutional rights. As was covered here late last year, these same law enforcement agencies have built their own phone record database -- filled with data obtained from subpoenas, warrants and court orders -- which is shared between the multiple agencies with no apparent oversight.

Once you get past the re-purposing of federal funds for local tax collection, you arrive at the question of cost effectiveness. Hampton sends its city vehicle out every weekday to troll for plates. On top of the paycheck handed out to the driver(s), there's fuel and vehicle wear-and-tear costs to be considered, along with whatever's being paid to maintain the technology and its database. And yet, it seems satisfied to have collected $60,000 in unpaid taxes last year -- seemingly "break even" at best.

The bottom line is this: if you want to use ALPRs to catch delinquent taxpayers, then be upfront about this and use local funds to purchase the equipment. Don't simply use the technology because it's there. Using federally-funded plate readers is basically asking the rest of the US to fund your local tax collection efforts. And just like when law enforcement deploys these readers, there should be explicit, public information about how the data is collected, retained and destroyed. Sure, law enforcement agencies have been less than open about these factors, but at least they have the (poor) excuse that there are means and methods to protect. The cities doing this don't have anything to protect -- at least nothing that would (supposedly) threaten public safety if it were made known.

Students in New Jersey are in the middle PARCC testing right now. This is a new standardized test which is administered by Pearson. It's not without its detractors; many parents are opting their kids out of the test, and after what Pearson just did I'm sure the number will grow.

A blogger by the name of Bob Braun got his hands on an email one NJ school district superintendent sent out to a mailing list. Said email discusses a dire "security breach" in which a student tweeted a mention of the recent PARCC test.

The superintendent's email wasn't sent to remind teaching staff to keep a better eye on testing students. It was sent to inform the rest of them about a situation she (Elizabeth Jewett) found unacceptable. [all emphasis hers]

Good morning all,

Last night at 10 PM, my testing coordinator received a call from the NJDOE [New Jersey Department of Education] that Pearson had initiated a Priority 1 Alert for an item breach within our school. The information the NJDOE initially called with was that there was a security breach DURING the test session, and they suggested the student took a picture of a test item and tweeted it. After further investigation on our part, it turned out that the student had posted a tweet (NO PICTURE) at 3:18PM (after school) that referenced a PARCC test question. The student deleted the tweet and we spoke with the parent -- who was obviously concerned as to her child's tweets being monitored by the DOE. The DOE informed us that Pearson is monitoring all social media during PARCC testing. I have to say that I find this disturbing -- and if our parents were concerned before about a conspiracy with all the student data, I am sure I will be receiving more letters of refusal once this gets out (not to mention the fact that the DOE wanted us to also issue discipline to the student). I thought this was worth sharing with the group.

Well, the news has gotten out, spreading from Bob Braun's blog to the New York Times and Washington Post. Pearson remains unapologetic for its protection of its test turf, noting that it only monitors public social media posts and cross-references those to ensure it's only reporting currently-testing students to various education agencies. All well and good, but when a private company wields the power to nudge public schools into disciplining students for so-called "security breaches," it's a bit of a problem.

In response to parent concerns, states using Pearson’s new PARCC exam did ask the company to stop cross-checking the names of students suspected of making inappropriate posts against the company’s list of registered test-takers. And New Jersey officials said Thursday that they would review the monitoring process to make sure student privacy is not compromised.

But Pearson isn't the only company keeping an eye on students for school administrators. Politico's coverage contains statements from a number of social media monitoring companies that provide surveillance tools and reporting to a variety of institutions.

Caveon is monitoring social networks on behalf of Pearson to safeguard against leaks of Common Core testing questions. Others -- like the infamous Geo Listening -- are there simply to monitor and report.

Enter the surveillance services, which promise to scan student posts around the clock and flag anything that hints at bullying, violence or depression. The services will also flag any post that could tarnish the reputation of either the student or the educational institution. They’ll even alert administrators to garden-variety teenage hijinks, like a group of kids making plans to skateboard on school property .

Some of the monitoring software on the market can track and log every keystroke a student makes while using a school computer in any location, including at home. Principals can request text alerts if kids type in words like “guns” or “drugs,” or browse websites about anorexia or suicide. They can even order up reports identifying which students fritter away hours on Facebook and which buckle down to homework right after dinner.

Other programs scan all student emails, text messages and documents sent on a school’s online platform and alert school administrators — or law enforcement — to any that sound inappropriate.

Some of the tools run covertly. Others are expressly pointed out by administration to increase the deterrent factor. Some even go so far as to cross-reference multiple social media accounts in order to strip away students' anonymity on networks where no "real name" is required.

These companies generate tons of data and possible "hits," but how useful are they? Gaggle, a service that scans emails, texts and discussion boards for "anything inappropriate," says it sends "thousands" of alerts to schools every year. But its contribution to a better-behaved student body is decidedly minimal.

In Deerfield, Gaggle has unearthed just one serious incident in the past the 18 months — an eighth-grader emailing a nude photo of herself, [Deerfield Superintendent Michael] Lubelfeld said.

The same goes for the other monitoring software deployed by Lubelfeld's school district -- which monitors students' computer usage. Only a "few violations" have been detected despite its constant presence.

Sure, the accounts may be public and there's no expectation of privacy in tweets, Facebook posts and school computer usage, but Pearson's monitoring didn't restrict itself to testing hours or even, indeed, school hours. The scope of these companies' surveillance lends itself to tons of false positives, and this can have a very negative effect on students who are going to find themselves punished for off-campus behavior -- or worse, for doing nothing wrong at all.

from the because-piracy! dept

There just seems to be something about the way that some people's brains function (or not) when the word "piracy" is introduced. Over in Ireland, there's been an incredibly long running battle over whether or not internet access providers need to kick people off the internet if they've been accused (not convicted) of file sharing three times. Such "three strikes" rules have been put in place in a few countries, and the evidence shows that they don't work at all. Not even in the slightest. They don't slow down the rates of piracy for any extended period of time (sometimes they show a very brief drop before people figure out other ways). They certainly don't lead more people to buy content. France, famously, led the way with the very first three strikes law, which the country has already dropped.

Over in Ireland, the fight over three strikes has been going on for nearly a decade. Back in 2008, the recording industry sued Eircom, the large Irish ISP, claiming that the company was required by law to implement a three strikes regime. Eventually, in an effort to avoid legal costs, Eircom caved and agreed to implement a three strikes plan, but with a condition: the recording industry also had to pressure competing ISPs to implement a similar plan so that Eircom customers didn't go fleeing. The recording industry did just that. The ISPs pushed back and seemed to be vindicated when the Irish Data Protection Commission ruled that a three strikes plan violated consumer privacy, and Irish judges found no legal basis for such rules.

Of course, the recording industry fought back, and a court flat out rejected the Data Protection Commission's findings, and insisted there wasn't any privacy issue at all with three strikes.

And, thus, we get back to the lawsuits against ISPs with a judge now ruling against ISP UPC and making some rather astounding statements in the process. The judge, Brian Cregan, appears to have become a true believer in the myths that the recording industry is spreading, and to him "piracy" seems to justify any and all punishment, without any clear concern as to whether or not anyone's actually broken the law, or whether or not three strikes plans even work. These quotes are fairly astounding:

Mr Justice Cregan said that there was "wholesale theft" taking place on the UPC network. He said that the constitutional rights of "a whole class of persons are not just being infringed but are being destroyed". The downloading of music for free is destroying the intellectual property rights of creative artists and should be a matter of great concern in any civilised society, he said.

Except, that's not true. Copyright infringement and "theft" are two separate (and very different) things. And, no constitutional rights are "being destroyed" at all. If someone's rights are being harmed via copyright infringement, those individuals or companies have every right to bring legal cases against those who are the ones actually engaging in infringement. Arguing that ISPs should automatically cut people off of the entire internet based merely on accusations (that have a long history of not being accurate) would seem to be "destroying" the due process rights of many more people than any copyright infringement. Besides, I would also think that "a matter of great concern to any civilized society" would be things like "due process" and better enabling communications and access to information for all -- like the internet does. But, no. If you happen to download a song you like without paying for it, apparently you should be barred from the internet.

"The current generation of writers, performers and interpreters of music cannot have their livelihoods destroyed by advances in technology which allow persons to breach their constitutional rights with impunity.”

Two points on this. Any realistic look at "the current generation of writers, performers and interpreters of music" would recognize that it is an amazing time to be a creative person because of the internet. Thanks to the internet, artists no longer are solely reliant on giant gatekeepers to pick them out of everyone else. Instead, they can use these platforms to create, to connect with fans, to promote, to distribute and to monetize their works. More words are being written, more videos are being filmed and more music is being recorded today than any time in history. It's difficult to see how one can possibly square that reality with this fantasy world of Judge Cregan's in which he believes that writers, performers and musicians are in trouble.

The reality is that it's merely the business models of the old gatekeepers that have been challenged. But that is the nature of the free market. If you cannot keep up with the changing times, you go out of business. But Cregan has apparently decided that the world should always look like it did briefly in the 1980s, and the internet upsets all of that, so clearly, it's the internet that should go.

Not only did Judge Cregan decide that UPC needs to put in place a three strikes plan, but that it should have to cover most of the costs itself, apparently blaming the technology itself for the struggles of the legacy recording industry:

Mr Justice Cregan said the cost of setting up this system had been put at between €800,000 and €940,000, three-quarters of which UPC had argued should be paid for by the music companies.

The judge said however given the music companies' constitutional rights "are being destroyed" by UPC's customers, he believed UPC should pay 80 per cent and the music companies the rest.

Cregan is apparently so sure of himself on this issue -- despite what appears to be an astounding confusion over what's actually happening in the world, that he further rejected UPC's argument that this is a matter for the legislature, not the courts. Instead, Cregan seems to believe that the courts can magically will into place a new regulation kicking people off the internet. He further rejected requests to refer this matter to the European Court of Justice, insisting that his interpretation of the law is plenty.

It is one thing to argue that a three strikes rule makes sense (despite all of the real world evidence to the contrary). But it is quite bizarre to then justify it based on additional claims about the state of creators today that are simply false. Is this how the Irish judicial system really works? Based on fairy tales and what the judge believes, rather than facts?

from the wonders-will-never-cease dept

The world of online privacy was changed forever by Edward Snowden's revelations of massive, global spying by the US, UK and others. And the repercussions of his actions continue to make themselves felt. Two countries particularly affected by the surveillance conducted against them, Germany and Brazil, have led efforts to appoint a new rapporteur (special expert) for privacy at the United Nations Human Rights Council, and with surprising success. Despite fears that the US or UK might try to block the move, or neuter the role, they both accepted the following resolution, which was adopted by consensus, without a vote:

The Council invites the Special Rapporteur to include in the first report considerations on the right to privacy in the digital age; calls upon all States to cooperate fully with and assist the Special Rapporteur in the performance of the mandate, including by providing all necessary information requested by him or her, to respond promptly to his or her urgent appeals and other communications, to consider favourably the mandate holder’s requests to visit their countries and to consider implementing the recommendations made by the mandate holder in his or her reports.

It will be interesting to see what happens when the Rapporteur comes calling on the NSA and GCHQ asking for more details of their surveillance operations. The resolution affirmed a general right to privacy:

according to which no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, and the right to the protection of the law against such interference...; recognizes the global and open nature of the Internet and the rapid advancement in information and communications technology as a driving force in accelerating progress towards development in its various forms; and affirms that the same rights that people have offline must also be protected online, including the right to privacy.

The Rapporteur will have no real powers to demand information or enforce recommendations. But at the very least, the creation of this new role will help to increase international awareness of the importance of privacy in the digital world, and of the scale of the threats ranged against it.

from the about-time... dept

About a year ago, when we switched to default HTTPS, we pointed out that one of the major reasons why other news sites refused to do the same was that most ad networks would not support HTTPS. In fact, we had to end a number of relationships with ad partners in order to make the move (but we felt it was worth it). In fact, the really crazy part was that many of the ad network partners we spoke to clearly had absolutely no clue about HTTPS, what it was and why it's important. But, over the past year, more and more attention has been placed on the value and importance of encrypting web traffic, so it's great to see that the internet ad industry is starting to wake up to this, even if it's pretty late in the process.

In fact, last year was the time to talk about security. From The New York Times to Google, the call went out for websites to encrypt communications with their users, protecting the integrity and privacy of information exchanged in both directions. Even the U.S. government heard this call, and is working to require HTTPS delivery of all publicly accessible Federal websites and web services.

This year, the advertising industry needs to finish catching up. Many ad systems are already supporting HTTPS - a survey of our membership late last year showed nearly 80% of member ad delivery systems supported HTTPS. That’s a good start, but doesn’t reflect the interconnectedness of the industry. A publisher moving to HTTPS delivery needs every tag on page, whether included directly or indirectly, to support HTTPS. That means that in addition to their ad server, the agency ad server, beacons from any data partners, scripts from verification and brand safety tools, and any other system required by the supply chain also needs to support HTTPS.

Let’s break that down a bit more - once a website decides to support HTTPS, they need to make sure that their primary ad server supports encryption. That ad server will sometimes need to include tags from brand safety, audience and viewability measurement, and other tools - all of which also need to support encryption. The publisher’s ad server will often direct to one of several agency ad servers, each of which will also need to serve over HTTPS. Each agency ad server also may include a variety of beacons or tags, depending on how the deal was set up, all of which similarly need to have encrypted versions available. That’s a lot of dependencies - and when one fails to support HTTPS, the website visitor’s experience is impacted, initiating a costly search for the failure point by the publisher.

While I question that 80% number -- given that we had difficulty finding many ad providers who supported HTTPS a year ago -- it's good to see the industry finally recognizing how important this is.

from the keeping-you-safe...-or-keeping-you-vulnerable dept

Back in October, we highlighted the contradiction of FBI Director James Comey raging against encryption and demanding backdoors, while at the very same time the FBI's own website was suggesting mobile encryption as a way to stay safe. Sometime after that post went online, all of the information on that page about staying safe magically disappeared, though thankfully I screenshotted it at the time:

If you really want, you can still see that information over at the Internet Archive or in a separate press release the FBI apparently didn't track down and memory hole yet. Still, it's no surprise that the FBI quietly deleted that original page recommending that you encrypt your phones "to protect the user's personal data," because the big boss man is going around spreading a bunch of scare stories about how we're all going to be dead or crying if people actually encrypted their phones:

Calling the use of encrypted phones and computers a “huge problem” and an affront to the “rule of law,” Comey, painted an apocalyptic picture of the world if the communications technology isn’t banned.

“We’re drifting to a place where a whole lot of people are going to look at us with tears in their eyes,” he told the House Appropriations Committee, describing a hypothetical in which a kidnapped young girl’s phone is discovered but can’t be unlocked.

So, until recently, the FBI was actively recommending you encrypt your data to protect your safety -- and yet, today it's "an affront to the rule of law." Is this guy serious?

More directly, this should raise serious questions about what Comey thinks his role is at the FBI (or the FBI's role is for the country)? Is it to keep Americans safe -- or is it to undermine their privacy and security just so it can spy on everyone?

Not surprisingly, Comey pulls out the trifecta of FUD in trying to explain why it needs to spy on everyone: pedophiles, kidnappers and drug dealers:

“Tech execs say privacy should be the paramount virtue,” Comey continued, “When I hear that I close my eyes and say try to image what the world looks like where pedophiles can’t be seen, kidnapper can’t be seen, drug dealers can’t be seen.”

Except we know exactly what that looks like -- because that's the world we've basically always lived with. And yet, law enforcement folks like the FBI and various police departments were able to use basic detective work to track down criminals.

If you want to understand just how ridiculous Comey's arguments are, simply replace his desire for unencrypted devices with video cameras in every corner of your home that stream directly into the FBI. Same thing. Would that make it easier for the FBI to solve some crimes? Undoubtedly. Would it be a massive violation of privacy and put many more people at risk? Absolutely.

It's as if Comey has absolutely no concept of a cost-benefit analysis. All "bad people" must be stopped, even if it means destroying all of our freedoms, based on what he has to say. That's insane -- and raises serious questions about his competence to lead a government agency charged with protecting the Constitution.

Despite the fact that no federal license plate legislation has been proposed, the International Association of Chiefs of Police (IACP) has sent a pre-emptive letter to top Congressional lawmakers, warning them against any future restrictions of automated license plate readers. The IACP claims to be the "world's oldest and largest association of law enforcement executives."

The letter is stained with the tears of law enforcement entities whose thirst for bulk collections is only rivaled by national security agencies.

We are deeply concerned about efforts to portray automated license plate recognition (ALPR) technology as a national real-time tracking capability for law enforcement. The fact is that this technology and the data it generates is not used to track people in real time. ALPR is used every day to generate investigative leads that help law enforcement solve murders, rapes, and serial property crimes, recover abducted children, detect drug and human trafficking rings, find stolen vehicles, apprehend violent criminal alien fugitives, and support terrorism investigations.

The "efforts to portray" ALPRs as ad hoc tracking devices aren't limited to imaginative conspiracy theorists. Millions of plate scans are added to private companies' databases every day. The total number of records retained by Vigilant, the most prominent manufacturer of ALPRs, totals in the billions. That amount of data can easily be used to track nearly anyone's day-to-day movements. And the database is accessible by law enforcement agencies around the nation. There's no geofencing keeping the data compartmentalized to what's "relevant" to local agencies.

As for the rest of the paragraph, those claims have yet to be backed up by arrest statistics. The amount of plate data collected far outweighs the results.

There is a misconception of continuous government tracking of individuals using ALPR information. This has led to attempts to curtail law enforcement’s use of the technology without a proper and fair effort to truly understand the anonymous nature of the data, how it is used, and how it is protected.

Note how the "misconception" is nothing privacy advocates are actually saying. No one's mistaking plate scans for a GPS tracking device. They've just noted that the end result is nearly identical. Gather enough data and you don't need a more "intrusive" method.

We are seeing harmful proposals – appropriations amendments and legislation – to restrict or completely ban law enforcement’s use of ALPR technology and data without any effort to truly understand the issue. Yet, any review would make clear that the value of this technology is beyond question, and that protections against mis-use of the data by law enforcement are already in place. That is one of the reasons why critics are hard-pressed to identify any actual instances of mis-use.

Translation: no one understands this high-tech device but us cops.

Also: "value" is "beyond question?" If so, why is it so hard to get any law enforcement agency to produce some evidence to back up this claim? It's high tech, but it's also fallible tech. And it's tech that is being deployed with little to nothing in the way of privacy protections or oversight.

Virginia has become the first state in America to impose a very short data retention limit on the use of automated license plate readers (LPRs, or ALPRs). VA cops will now only be able to keep such data for seven days unless there is an active, ongoing criminal investigation.

Only a few states have imposed any legislative limits on the technology. For most US law enforcement agencies, the data is gathered en masse (and sometimes in inappropriate places) and held forever. The LAPD argued that every one of the thousands of plate scans it had gathered is somehow "relevant" to ongoing investigations. When you're faced with claims like that, it's hard to argue with legislative limits being introduced. The police won't police themselves. Someone usually has to force them into applying even the most minimal of restrictions on ALPR use.

We call on Congress to foster a reasonable and transparent discussion about ALPR.

That's rich. "Transparent discussion." The hell does that even mean in a law enforcement context? Agencies don't want to talk about ALPRs, drones, Stingray devices, their officers' misconduct, etc. The prevailing law enforcement mentality is almost completely opposed to transparency. These police associations aren't interested in Congress or anyone else having a "transparent discussion." What they want is a guided discussion that results in more data-hauling business as usual for the agencies these associations represent.

But this sentence is the best thing about this overwrought letter:

If legislative efforts to curtail ALPR use are successful, federal, state, and local law enforcement’s ability to investigate crimes will be significantly impacted given the extensive use of the technology today.

Shorter police: "We like our shiny tech tools so much, we've forgotten how to perform police work." If they can't get as much as they can, as often as they can and access it at their leisure, the streets will run red with the blood of the innocent. This sort of thinking goes all the way to the top, where the FBI's James Comey has promised death, molestation and Colombia 2.0 if the government isn't allowed to build itself backdoors in cellphone encryption.

How a device that delivers a 0.2% hit rate has become something the cops lean on so heavily they simply can't go on without it is a question that deserves a "transparent" answer, rather than the hitch-in-the-throat talking points delivered here. All anyone wants is something telling cops they can't keep everything for as long as they want. They want privacy impact assessments and honest answers to worrying questions. All we've received so far is unproven claims of the tech's "effectiveness" and the constant pimping of dead children and human trafficking victims, with the existential threat of suppliers delivering product to a receptive market thrown in for good measure.

from the largely-symbolic,-still-significant dept

However much the US government might hope otherwise, there is still widespread concern in Europe about the activities of the NSA and its Five Eyes friends. Here's the latest proof of that: a joint motion signed by all political parties in the Austrian parliament, against illegal surveillance (via Netzpolitik). The Parliament's own summary of what the motion contained reads as follows (original in German):

The recent revelations of the US whistleblower Edward Snowden have now acted as a call to action for the six parliamentary groups. In a resolution introduced jointly, they express their support for tackling seriously the illegal spying by the US foreign intelligence NSA, its British counterpart GCHQ and other foreign intelligence services. In their opinion, the [Austrian] government should exhaust all available diplomatic options, and diligently pursue violations of the Austrian Criminal Code. In addition, the MPs urge taking steps at the European level to promote the technological independence of Europe in the field of information and communication technology.

In the justification for the motion, reference was made to the recently-discovered "cyberbug", presumably attributable to the NSA. With this new malware, which cannot be detected by anti-virus software, and can even survive wiping the hard disk undamaged, it is possible for encryption to be circumvented, for example. The Members find equally worrying the theft of millions of electronic encryption keys from the Dutch SIM card producer Gemalto.

Although the motion in itself is unlikely to achieve much, it's a clear indication of continuing anger among European politicians at the activities of the NSA and GCHQ in spying on innocent members of the public, and undermining key elements of telecommunications infrastructure. If nothing else, it's a timely reminder that there are plenty of unresolved issues here, and that they are likely to have serious ramifications on US-EU relations in the future, not least in areas like Safe Harbor and TAFTA/TTIP.

from the let's-discuss-your-shopping-preferences,-susie dept

Samsung recently took a significant media beating after people actually bothered to read the company's privacy policy, only to discover that the company's "smart" TVs were collecting snippets of living room conversation and transmitting them to third parties for analysis. Samsung ultimately issued a blog post stating it was only collecting a limited amount of voice data to improve voice command functionality. Besides, said Samsung, if you don't want your voice commands collected, you can disable the functionality (even though you lose some core TV features in the process).

Of course, while Samsung got the brunt of the public and media hysteria, many people didn't seem to realize that nearly everything that takes voice commands (from your home automation system to your iPhone) already engages in this same behavior. Case in point: Mattel is taking more than a little heat for the company's new "Hello Barbie," which connects to Wi-Fi, and also records kids' voice commands and routes them to an external server in order to improve voice command tech. In this video from February, Mattel shows how Barbie now stores your preferences and even provides career advice:

"Imagine your children playing with a Wi-Fi-connected doll that records their conversations--and then transmits them to a corporation which analyzes every word to learn "all of [the child's] likes and dislikes." That’s exactly what Mattel’s eavesdropping “Hello Barbie” will do if it is released this fall, as planned. But we can stop it!

Kids using "Hello Barbie"' won't only be talking to a doll, they'll be talking directly to a toy conglomerate whose only interest in them is financial. It's creepy—and creates a host of dangers for children and families. Children naturally reveal a lot about themselves when they play. In Mattel’s demo, Barbie asks many questions that encourage kids to share information about their interests, their families, and more—information advertisers can use to market unfairly to children."

While the CFCC works to keep the toy from store shelves, Mattel is promising that security and privacy has been their top priority while crafting a doll that learns what kids like:

"Mattel and ToyTalk, the San Francisco-based start-up that created the technology used in the doll, say the privacy and security of the technology have been their top priority. "Mattel is committed to safety and security, and Hello Barbie conforms to applicable government standards," Mattel said in a statement."

The problem is, we've seen repeatedly how the companies rushing face-first toward the billions in potential revenues from the "Internet of Things" market are so fixated on profit, that security and privacy have been afterthoughts -- if a thought at all. It doesn't matter if we're talking about Smart TVs with trivial to non-existent security or easily hacked smart car tech, companies are showing again and again that privacy and security really aren't paramount. That's before we even discuss how this collected voice data creates a wonderful new target for nosy governments courtesy of the Third Party Doctrine.

So while some of this hysteria over what's being collected probably veers into hyperbole territory, the cardboard-grade security and privacy standards most companies are adopting certainly create cause for concern. The good news I suppose: the "smarter" our products get, the bigger the market is for "dumb" products that just sit there and do what they're supposed to do, whether that's a television that just displays the damn signal sent to it or utterly insentient dolls that just shut up, smile and drink their fake tea.

"On the data retention directive, the European Commission does not plan to present a new legislative initiative," Dimitris Avramopoulos told a news conference in Brussels.

It's worth emphasizing that this does not mean bulk data retention is dead in the EU. As an earlier Techdirt post explained, the EU's Member States can still bring in national laws requiring data retention, but those can be challenged in the courts in the light of the CJEU decision, as is already happening. In practice, this means that there is likely to be a wide range of requirements for data retention across Europe, ranging from the most extreme in the UK, for example, to those countries that accept that such mass surveillance is not just intrusive but also ineffectual.